# rConfig useradmin.inc.php 信息泄露漏洞
## 漏洞描述
rConfig useradmin.inc.php 存在信息泄露漏洞,通过访问文件获取用户邮箱信息和登录名
## 漏洞影响
```
rConfig
```
## 网络测绘
```
app="rConfig"
```
## 漏洞复现
出现漏洞的文件
```php
query("SELECT timeZone FROM settings");
$result = $db2->resultsetCols();
$timeZone = $result[0];
date_default_timezone_set($timeZone);
/* Get Row count from users where NOT deleted */
$db2->query('SELECT COUNT(*) AS total FROM users WHERE status = 1');
$row = $db2->resultsetCols();
$result["total"] = $row[0];
/* Instantiate Paginator Class */
$pages = new Paginator;
$pages->items_total = $result['total'];
$pages->mid_range = 7; // Number of pages to display. Must be odd and > 3
$pages->paginate();
echo $pages->display_pages();
echo "" . $pages->display_jump_menu() . $pages->display_items_per_page() . "";
/* GET all nodes records from DB */
$db2->query("SELECT id, username, userlevel, email, timestamp FROM users WHERE status = 1 $pages->limit");
$resultSelect = $db2->resultset();
// push rows to $itesm array
$items = array();
foreach ($resultSelect as $row) {
array_push($items, $row);
}
/* Create Multidimensional array for use later */
$result["rows"] = $items;
$i = 0; # row counter to enable alternate row coloring
?>
display_pages();
echo "";
echo "Page: $pages->current_page of $pages->num_pages
\n";
```
文件没有设定权限,任何人可以访问泄露信息
漏洞验证的Url为
```plain
/useradmin.inc.php
```
泄露用户信息